Cloudfront signed urls for EACH user: IP address vs. public key
AWS Cloudfront signed urls Question: I'm wondering about the pros and cons of controlling Cloudfront content access on a user-by-user basis using a publicly viewable key vs. their IP address. I'm defining a public key as an arbitrary access token (e.g., a public key or ID that I've assigned to each user) as a query parameter (part 3 in the picture below, taken from the docs. The user IP address can readily be obtained server-side (with PHP using $_SERVER['REMOTE_ADDR']) and is a value encoded in the "Policy=", i.e, part 4 in the picture.
Because people increasingly have many computers and belong to many networks, IP address-based access would seem a suboptimal approach and mean that each user would need to have multiple policies and I'd have to keep track of each of these policies.
On the other hand, the query string public key-based access could be thwarted by simple cut and paste or brute force if the string is harder to know.
There must be reasons AWS recommends the IP-based approach and doesn't recommend the public key approach, but I'm having trouble understand what the point of the query parameter would be then if for not some kind of access token purpose. Thoughts?
Background for newcomers: Cloudfront signed urls allow restricting access to the content on a server (called an "origin server" in the docs) such as your S3 bucket. These signed urls can be customized (called a "custom policy", the Policy="eyANC.." part of the url above) to include the user IP address such that if you aren't using that IP address you can't have access to the content.
In my understanding, following could be the reasons to chose IP address as part of the policy.
From ip address, it is almost guaranteed that the user who received signed url is the same user making the signed url request. (I said almost guaranteed, considering the fact that the server code inserting the ip-address should be aware of the proxy x-forwarded-for header. Also remote ip address is same for everyone in the same home/office served by the same provider)
Usually, in a real world case, the expiry time of a signed url is short. (Means, your ip address will not be changing before your signature expiry.
Using ip-address, also has a benefit where you can use filters to block from known proxy users, geo locations and and security risky providers. (generally known as ip whitelisting/blacklisting )
- HTTP requests not working on aws ec2
- Amazon EC2 and EBS disk space problem
- How do I enable Data API?
- CDK Pipelines - Migrating a database in the pipeline
- Do environment variables in ECS Fargate task definitions support interpolation?
- Upgrading AWS RDS aurora from serverless v1 to serverless v2 using terraform
- AWS IAM user not able to see Billing and Cost Management Dashboard
- Amazon S3 - How to fix 'The request signature we calculated does not match the signature' error?
- Deleting last element in a DynamoDB string set
- AWS CLI on Windows won't work though using double quotes and escapes
- How to resolve 'Step Functions State Machine is not authorized to create managed-rule'?
- Understanding SQS message receive amount
- AWS Glue JDBC Connection created using Cloud Formation is not setting the password
- CloudFront charges after you invalidate your distribution over 1,000 times, does the count reset each month?
- AWS Cognito federated user login not allowing to sign in as different user after log out
- AWS s3 V3 Javascript SDK stream file from bucket (GetObjectCommand)
- Provide AWS Lex response in Hyperlink format
- Fixing yaml indentation with python
- Generate S3 URL in "path-style" format
- Trying to find the ARN pattern for AWS WAF regional
- AWS cognito: What's the difference between Access and Identity tokens?
- virtually isolate the network in the same AWS Cloud Account
- AWS start sandbox from tutorial
- Can I stop a spot instance in aws just like I can stop and start an on demand ec2 instance
- FastAPI app works locally, but /blogs endpoint causes redirect loop on AWS Lambda deployment
- Get pdftotext Python module running on Lambda
- Kubernetes: how to set VolumeMount user group and file permissions
- Invalid arn error for terraform code with kms data resource
- Unable to import module 'src.main': No module named 'dependencies' when uploading FastAPI zipped project to AWS Lambda
- Unable to update AWS AppRunner VPC connector via CDK